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■ Obligatory Scare Talk £ 

■ Why should you care? 

■ What is the problem? 

■ How can TitanEngine change the world? 

■ Show ME! 

■ Show ME! A. 




Show ME! 
How can I help: 
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Fighting Malware: 
Old Problem 

Inadequate Infrastructure: 
New Problem 
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Security Industry is a 
For-Profit Entity 



But Could We 

Get Enough 

Bodies? 



Can't Hire Enough? 

Combine those we have 

into one Worldwide 

Non-profit Entity 

(Bwa-ha-ha!) 



OR... 

We could 

simply overload them... 



Is an overloaded 
anti-malware 

analyst an asset 
or a liability? 




: aiv* ; 




;; 


• 




6 


tek 



Henry Ford 

■ Anti-Malware labs are factories V3 

■ 100-200+ Analyst teams 

■ Advanced workflows 

■ Multiple levels of management 

■ Modern labor laws apply: No 20+ hour days 

■ Productivity can be improved 

■ Work process can be studied 

■ Improvements COULD be devised... 



So how can Labs do more? 



Charge more, Hire more 

Invest in automation, Invest in heuristics 

Deploy proactive modules, Buy competitors 

All the usual stuff 

... and they could revise their processes 



So how can Labs do more? 



i,ooos of OllyDBG and IDAPro scripts can 
better be reused; could be generalized 

Sample analysis, OEP discovery could benefit 
all team members 

Reversing should be a team effort 



Competition is tough 

■ Bad guys 

Rise of $$ motivated custom attacks 
Resourceful crime syndicates 



Protection is lacking 



Signatures only "important" for threats 
Need for other types of protection 
Behavioral & HIPS tools that work 



Passion for binary protection 

■ Meatiest task today is dealing with 
protection techniques 

■ Task repetition, Error prone, Not 
reusable 

■ Large number of file formats can be 
infected and used for malware 



Passion for binary protection 



Executable files == most significant threat 
Executables == the "usual suspect" for malware 
1 85% of malware samples are packed 

Packing hides malware, hardens its detection 
Packed or protected doesn't mean bad! 

10% of legitimate software is packed 



Passion for binary protection 



Legit use for packers & protectors: 
] Compressed binaries decrease bandwidth usage 

Protect intellectual property 

Protect from code theft 

Anti-tampering in multi-player games 

Safeguard licensing code 
Successfully used by malware authors 

For all the same reasons 



Analyzing Malware 



Malware File Analysis Requires: 
In-depth knowledge of how PE works 
In-depth knowledge of how Windows works 
Various tools to make you reach your goal 

Understanding of Basic Shell Divisions: 

Packers, Protectors, Crypters, Bundlers & Hybrids 
Custom malware-specific packers & protectors 



/*4o8i6o*/ PUSHAD 

/*4o8i6i*/ MOV ESI / crackme_.oo4o6ooo 

/*408i66*/ LEA EDI,DWORD PTR DS:[ESI+FFFFBooo] 

P40816C*/ PUSH EDI 

/*4o8i6D*/ OREBP,FFFFFFFF 

/*4o8i70*/ JMP SHORT crackme_.oo4o8i82 

/*4o8i72*/ NOP 

P408173*/ NOP 

/*4o8i74*/ NOP 

K23 What's the Re> 

P408177*/ NOP 
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/*408i7B*/ MOV BYTE P 



What's the Reversing 
Process Today? 



Reversing in action | 

■ Inspect the Sample 

° Identify the packing shell or compiler 








File: DiVnalware. sample.exe | ,,, | 




Entrypoint: 00003160 EP Section: |UPX1 | > 1 


File Offset: 1 00003160 First Bytes: 60 r BE r 00 r 60 > | 


Linker Info: 1 6.0 Subsystem: Win 32 GUI _>J 


|UPX 0,89,6 - 1,02/1,05 - 1,24 -> Markus aLaszio 


MultiScan | Task Viewer | Options | | About | Exit 
W Stay on top | *» | | -> | 
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Reversing in action | 

■ Unpack the Sample 

Execute it to the original entry point 
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OllyDbg 



Reversing in action | 

■ Unpack the Sample 

Execute it to the original entry point 
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OllyDbg 



Reversing in action | 



Unpack the Sample 

Execute it to the original entry point 
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Reversing in action | 



Unpack the Sample 

Dump the process memory 
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Problems with File analysis 

■ File analysis takes time 

Identifying requires keeping up with shells 
Shells evolve & have different forms 

■ Analysts get more samples then they can handle 

■ File unpacking takes even more time 

1 Protection u tricks" continue to evolve 
Yet, this process can be automated! 



Fast Reversing | Tomorrow 

■ TitanEngine key features: 

Framework designed to work with PE files 

250 documented functions 

Easy automation of all reversing tools 

Supports both x86 and X64 

Can create: 

Static, Dynamic & Generic unpackers 

New file analysis tools 
Tested on over 150 unpackers 
Its free and open source! 



Furious Reversing | Tomorrow 

■ Engine simulates reverse engineer's presence 
Unpacking process has the same steps: 
Debugs until entry point 
Dumps memory to disk 
Collects data for import fixing 
Collects data for relocation fixing 
Custom fixes (Code splices, Entry point, ...) 



TitanEngine| 



SDKContains: 

Integrated X86/X64 debugger 
Integrated X86/X64 disassembler 
Integrated memory dumper 
Integrated import tracer & fixer 
Integrated relocation fixer 
Integrated file realigner 
TLS, Resources, Exports... 



TitanEngine | Debugger 

■ Integrated X86/X64 Debugger 
Attach / Detach 

Trace, including single stepping 
Set several types of breakpoints: 

Software (INT3) 

Hardware 

Memory 

Flexible 



Access debugged file's context 



TitanEngine | Debugger 



Integrated X86/X64 Debugger 
Disassembly instructions 

Disassemble a length 

Full disassemble 
Memory manipulation 

Find, Replace, Patch, Fill... 
Get call/jump destination 
Check if the jump will execute or not 
Thread module for thread manipulation 
Librarian module for module manipulation 



TitanEngine | Dumper 

■ Integrated Memory Dumper 
Dump memory 

Process, regions or modules 
Paste PE header from disk to memory 
Manipulate file sections 

Extract, resort, add, delete & resize 
Manipulate file overlay 

Find, extract, add, copy & remove 



TitanEngine | Dumper 

■ Integrated Memory Dumper 
Convert addresses 
From relative to physical, and vice-versa 
Get section number from address 
D PE header data 

Get and set PE header values 



TitanEngine | Importer 



Integrated Import Fixer 

Build new import tables on the fly 
Get API information 

API address in both your & debugged process 

DLL to hold API from API address 

Remote & local DLL loaded base 

API name from address 

API Forwarders 



TitanEngine | Importer 



Integrated Import Fixer 
Automatic import table functions: 
Locate import table in the memory 
Fix the import table automatically 
■ Fix import eliminations, automatically 
Enumerate and handle import table data 
Move import table from one file to another 
Load import table from any PE file 



TitanEngine| 



Integrated Import Tracer 

Identify import redirections and eliminations 

Fix known import protections 
Use integrated tracers to resolve imports 

Static disassembly tracer 

Static hasher disassembly tracer 
Use ImpRec modules to fix redirections 



TitanEngine| Relocater 



Integrated Relocation Fixer 

Build new relocation table on the fly 

Resolve relocation table 
Grab relocation table directly from the process 
Make & compare memory snapshots 

Remove relocation table from the file 

Relocate file to new image base 



TitanEngine | Realig 

■ Integrated File Realigner 
Validate PE files 
Fix broken PE files 
Realign files: reduce size & validate 
Fix header checksum 
Wipe sections 



TitanEngine|The Rest 



Remove callbacks 

Break at callbacks 
Exporter 

Build export tables on the fly 
Handler 

Close remote handles 

Get file lock handles 

Find open mutexes 



TitanEngine|The Rest... 

■ Resource 

Extract resource 

■ Remote 

1 Load & Free libraries into running process 

■ OEP Finder 

GetOEP location generically 

■ Static 

Unpack files statically 



Back to Basics: 
Shell Modifier Types 

■ Shell Division 
Crypters 
Packers 
Protectors 
Bundlers 

Data bundlers 

Overlay/Resource bundlers 
Hybrids 



Unpacker Types... 

■ Basic Unpacker Division 
Static unpackers: 

■ Pro: simple, fast & supported byTitanEngine 

■ Con: don't work if internal shell mechanisms change 
Dynamic unpackers: 

■ Pro: u simple ,, / fast & supported byTitanEngine 

■ Con: carry a certain risk of file execution! 
Generic unpackers: 

):Can support large number of similar shells 

■ Con: Can be highly inaccurate! 



Writing an Unpacker... 



Analyze the Packing Shell 
n Stepi 

Determine protection types 

■ Design ways to avoid them 

■ Determine method to resolve custom protections 

■ Determine method to skip entry point layer protection 

■ Determine if we can automate file identification 



Writing an Unpacker... 



Analyze the Packing Shell 
° Step 2 

■ Locate packing shell's important parts 

■ Where does it fill import table? 

■ Where does it relocate the file? 

■ How does it jump to OEP? 

Identify byte patterns, using lots of samples! 

■ Proper patterns contain wild cards 

■ Proper patterns work on all samples 

■ Proper patterns are based on multiple compiler cases! 



Writing an Unpacker... 

■ Writing the Unpacking Code 
n Step 3 

Select the best platform for unpacker creation 

■ Select framework 

• Write a custom one, or select existing 

■ Select programming language 
D Step 4 

Write and test it 

■ Test on as many samples as you can get your hands on! 



Dynamic Unpacker Layout 
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SetBPX 












DebugLoop 
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Dynamic Unpacker Layout 




Dynamic Unpacker Layout 


GetPEdata 


p Importfix -* Relocfix -* Entrypoint 
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Entry Point 




InitDebug 












SetBPX 




DumpProcess 
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DebugLoop 
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File -> New Unpacker... 



Creating a Dynamic Unpacker for UPX: 
Gathering info on the packer 

Free & open source 
■ Can pack DLL & EXE files 

Multiple platforms supported 

DEP supported but no x64 support 
Multiple unpackers exist 

UPX can decompress itself! 
Multiple signatures available 



UPX Analysis 



Packer Code Points of Interest 
D Point of interest #1: 

Import table filling (string case) 

/*40826C*/ MOV EAX, DWORD PTR DS:[EDI] 

/*40826E*/ OR EAX.EAX 

/*408270*/ DE SHORT crackme_.004082AE 

/*408272*/ MOV EBX, DWORD PTR DS:[EDI+4] 

/*408275*/ LEA EAX, DWORD PTR DS : [EAX+ESI+8510] 

/*40827C*/ ADD EBX.ESI 

C /*40827E*/ PUSH EAX 

/*40827F*/ ADD EDI.8 

/*408282*/ CALL NEAR DWORD PTR DS : [ESI+854C] ^ 

/*408288*/ XCHG EAX, EBP 

Bytes: 96 4C 85 00 00 



UPX Analysis 



Packer Code Points of Interest 
D Point of interest #1: 

■ Import table filling (ordinal case) 



MOVZX EAX3WORD PTR 



*40C310*/ 
*40C316*/ 



REPNE SCAS BYTE PTR ES:[EDI] 

PUSH EBP 

CALL NEAR DWORD PTR DS : [ESI+CBF8] 



Bytes: ?? (BPX) 

Bytes: 57 48 F2 AE ??FFg6 F8 CB 00 00 



UPX Analysis 



Packer Code Points of Interest 
D Point of interest #3: 

Entry point jump (old method) 

/*4082A1*/ MOV DWORD PTR DS:[EBX],EAX 

/*4082A3*/ ADD EBX.4 

/*4082A6*/ DMP SHORT crackme_. 00408289 

/*4082A8*/ CALL NEAR DWORD PTR DS : [ESI+8554] 

/*4082AE*/ POPAD 

/*4082AF*/ DMP crackme .004012C0 



UPX Analysis 



Packer Code Points of Interest 
D Point of interest #3: 

Entry point jump (new method) 



LEA EAX, DWORD PTR SS:[ESP-80] 



/*45F5F5*/ POPAD 

/*45F5F6*/ LEA EAX, DWORD PT 

/*45F5FA*/ PUSH 

/*45F5FC*/ CMP ESP.EAX 

/*45F5FE*/ DNZ SHORT dELPHI 

/*45F600*/ SUB ESP, -80 



}EC??E9 3oD9FEFF 



UPX Unpacker 



Starting the "Engine" 
Read interesting file data 

ImageBase, AddressOfEntryPoint, .. 
Initialize the debugger 
InitDebugEx for executables 
InitDLLDebug for libraries 
] Set initial breakpoint at packer EP 
DebugLoop(); 



UPX I Unpacker EP Callback 

■ Finding Our Points of Interest 
Find import filling code 
■ Set breakpoints pointing to import handle code 

■ There are one or two breakpoints here 
Find "relocate to new base" code 

Set breakpoints pointing to snapshot code 

■ There is one breakpoint here (optional) 
Find entry point jump 

Set breakpoints pointing to unpack finalization 

■ There is one breakpoint here (but two patterns!) 



UPX Unpacker Breakpoints 



Assign Callbacks to Our Breakpoints 
D Import fixing callback 

Breakpoint #1; Loading new library 

■ In this callback call ImporterAddNewDLL 

■ Data: EAX holds the pointer to string in remote process 



UPX Unpacker Breakpoints 

■ Assign Callbacks to Our Breakpoints 
D Import fixing callback 

■ Breakpoint #2: Getting API address (string case) 

■ In this callback call ImporterAddNewAPI 

■ Data: EAX holds the pointer to string in remote process 

■ Data: EBX holds the data write address 
Breakpoint #3: Getting API address (ordinal case) 

■ In this callback call ImporterAddNewAPI 

■ Data: EDI holds the ordinal number 

■ Data: EBX holds the data write address 



UPX Unpacker Breakpoints 



Assign Callbacks to Our Breakpoints 
Relocation fixing callback 
Breakpoint #4; Snapshot #1 

■ This is optional breakpoint, present only if file is DLL 

■ In this callback we create a snapshot file 

■ Function RelocaterMakeSnapshoot 

• Memory which will be snapshot is first PE section 



UPX Unpacker Breakpoints 



Assign Callbacks to Our Breakpoints 
Original entry point callback 
Breakpoint #5 

■ Dump the process with DumpProcess 

■ Fix (possibly broken) PE header with PastePEHeader 

■ Make second relocation snapshot & compare them 

■ Add new section for IAT and export IAT to it 

• ImporterExportlAT 

■ Add new section for relocations and export them 

• RelocaterExportRelocation / RelocaterChangeFileBase 

■ Realign the file with RealignPE 

■ Move overlay from original to unpacked file 

■ StopDebug(); 



File -> New Unpacker... 

■ Create a Generic Executable Unpacker 
No signatures, no patterns, no problem... 

Generically determine OEP location 
■ EP can not be fixed without getting into specifics 

Automatically fix imports 

■ Fix redirections & import eliminations 
No hassle with relocations 

■ But generic DLL unpacker is possible! 
Dual process dilemma? 



Generic 

■ Creating i 


OEP finder blueprint 

■i generic entry point finder 


GetPEdata 




Code sections 


^^ i. EIP inside sections 




tMemoryBPX 


1 h ht t 2 " Already written to 

3. Hash has changed 




r^x, 1 4- Not a simple redirection 
tMemoryBPX 1 r 


1 SetMemoryBPX 
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' — >l Your code 1 ' Finalize unpack > StopDebug 
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TitanEngine What's Next? 



Extend Framework 
File function analysis 
Plugins, modules and scripts 
Integrated file identification 
Extend SDK to Delphi and MASM 
Extend SDK to python and ruby 

More Samples of Usage 
One unpacker per week project 

More Analysis Tools Built Around It 
UnpackStudio, MFK... 



TitanEngine - How to Help? 



http://titan. reversinalabs.com 



Open Source Project 
Contribute Solutions 
Help others with tutorials 
Contribute Code 
Forums 



